Skip to content
Effectuez une recherche pour en savoir plus sur les produits et solutions InterSystems, les offres d'emploi, etc.

Advisory: Consent API allows for the creation of consent policies for non-existing MPI IDs

September 1, 2020 – Advisory: Consent API allows for the creation of consent policies for non-existing MPI IDs

InterSystems has corrected a defect when using the Consent API, where it is possible to associate a consent policy with an MPI ID that does not yet exist. If that MPI ID is later created and assigned to a patient, the previously associated consent policy will be applied to that patient.

This problem exists for:

  • All HealthShare Unified Care Record/Information Exchange versions

Two Consent API methods are affected by this issue:

  • AddEditMPIConsentPolicy
  • AddEditPatientPolicy

The input parameters for these methods identify a patient via an MPI ID and optionally an MRN and MRN Assigning Authority. Prior to this fix, it is possible to associate a consent policy with an MPI ID that does not yet exist. If that MPI ID is later assigned to a patient, the consent policy will be applied to that patient. This is identified as a patient privacy concern as an erroneous consent policy may result in inappropriate access to the patient demographic information or clinical data. This issue does not cause an increased risk of disclosure outside of HealthShare.

A fix is available for this issue. The fix validates whether the MPI ID exists before associating a consent policy with it. If the MPI ID does not exist, the API transaction will not succeed, and the consent policy will not be associated with that MPI ID.

This fix now validates the MPI ID exists, but it cannot validate that an existing MPI ID passed in is the correct ID for the intended target patient. MRN and MRN Assigning Authority were validated prior to this fix and continue to be validated. However, there is no validation that the MRN and MRN Assigning Authority are valid for the specified MPI ID. Applications and users of the Consent API should continue to exercise caution when inputting patient identifiers as arguments to the API methods.

Additionally, the Consent API methods do not validate the following. A fix is not yet available to validate these input parameters. Customers are strongly encouraged to test their usage of the consent API to ensure that input parameters are specified appropriately.

  • Decision: this is a required field, but it is possible to omit it. The methods will return an error if the input value is invalid.
  • ClinicialInformationType: this is a required field for the AddEditPatientPolicy method. The method will return an error if the input value is omitted but will not return an error if an invalid value is entered.
  • EffectiveDate, EventEffective, EventExpiration, ExpirationDate: these are optional fields. The methods require these dates to be in $h format and do not return an error for any invalid date formats.
  • GroupList: this is an optional field. The methods will not return an error if an invalid group is entered.
  • RelationshipList: this is an optional field. The methods will not return an error if an invalid relationship is entered. Additionally, the methods will silently ignore this parameter if AppliesTo is not set to "R".

The correction for this defect is identified as dev key HSIEC-3190 and will be included in all future product releases. It is also available via Adhoc change file (patch) or full kit distribution from the Worldwide Response Center (WRC).

If you have any questions regarding this advisory, please contact the WRC.

RELATED TOPICS

Latest Alerts & Advisories

15 Aug 2024
InterSystems has corrected a defect that can cause database corruption or errors with multi-volume databases under extremely rare circumstances. Only databases that have been truncated are at risk.
24 Jul 2024
There are four alerts in the HS2024-03 Alert Communication. A summary of each alert is shown below. Details for each alert are contained in the linked document.
24 Jun 2024
Broadcom recently announced a problem that can cause data consistency errors in database applications. The Broadcom article is available here:
30 May 2024
Beginning with the release of InterSystems IRIS® data platform 2022.3, InterSystems corrected the license enforcement mechanism to include REST and SOAP requests. Due to this change, environments with non-core-based licenses that use REST or SOAP may experience greater license utilization after upgrading. To determine if this advisory applies to your InterSystems license, follow the instructions in the FAQ linked below.
01 May 2024
InterSystems has corrected an issue that can cause a small number of SQL queries to return incorrect results. See below for the specifics on impacted queries.
08 Apr 2024
InterSystems has encountered a defect that causes some upgrades of HealthShare® Health Connect to fail. This only affects instances that are not licensed for the use of FHIR® and that have interoperability-enabled namespaces. Under these conditions, the upgrade fails with an error.
19 Mar 2024
In evaluating an IBM Support notification, InterSystems has determined a potential impact for our customers. The notification in question is:
27 Feb 2024
There is 1 alert in the HealthShare HS2024-limited Alert communication. An alert summary for the issue is shown is in the table below. Details for the alert are contained in the attached document: HS2024 Limited Communication.
01 Feb 2024
There are 2 alerts in the HealthShare HS2024-02 Alert communication. An alert summary for each issue is shown is in the table below. Details for each alert are contained in the attached document: HS2024-02-Communication.

Passez à l'étape suivante

Nous serions ravis d'échanger avec vous. Remplissez les champs suivants et nous vous recontacterons.
*Champs obligatoires
Veuillez remplir tous les champs obligatoires*
*Champs obligatoires
Veuillez remplir tous les champs obligatoires*
** En cochant cette case, vous consentez à recevoir des actualités, des mises à jour et toute autre information à objectif marketing liés aux produits et événements actuels et futurs d'InterSystems. En outre, vous consentez à ce que vos coordonnées professionnelles soient saisies dans notre solution CRM hébergée aux États-Unis, mais conservées conformément aux lois applicables en matière de protection des données.